The passwords during login process *are* nicely hashed with a token, right.
But when creating an admin or editing passwords they are sent in plaintext.

I believe that the following changes are needed:
1. New passwords have to be hashed before they are sent (install/include/step3.php, admin/admins/password.php, admin/admins/create.php, admin/admins/my_password.php).
2. Old passwords (admin/admins/my_password.php) should be treated the same way as the passwords during the login process -- with tokens etc.

No changes are made to admin/admins/my_password.php. If you're going to revisit this when adding the password encryption for members (which I suppose could be the case as it, when done at once, would require less changes to the code), please don't forget it then.